This article is more than 1 year old

Shove over, 2FA: Authentication upstart pushes quirky login tech

All login tech is hackable (except ours, natch) claims securo-upstart

Security upstart LiveEnsure is trying to shake up the authentication market with technologies that verify users by device type, location and user behaviour, as an alternative to established authentication systems.

The firm is pushing its smartphone-based services as an alternative to security tokens, biometrics, one-time-passwords or SMS messages. All these older techniques are both invasive and ineffective because they are hackable, according to LiveEnsure. "Passwords, dongles, cookies and even biometrics can all be had, somehow," said Christian Hessler, founder and chief exec of LiveEnsure.

Hessler argues that the problem over the effectiveness of established authentication technologies are only getting worse, partly as the result of the growing prevalence of security breaches.

"All modern hacks happen when identity factors or credentials can be taken out of context and used in another context to assume the identity of the hacked victim,” Hessler said. “When this can be done over and over, or on a mass scale, it speaks directly to the problem of relying on identity to perform the job of authentication."

In contrast with traditional techniques, LiveEnsure says its technology focuses on user dynamics that "can’t be spoofed, tracked, faked or stolen”. LiveEnsure uses context rather than credentials. This is done via a triangulation between device type, “location” and user behaviour.

Location in the context of LiveEnsure can mean being near a wearable owned by the users, as well as a place. Their technology is designed to cope with standard usage scenarios of users who normally log in from home happening to be on the move, as LiveEnsure explained in response to a question from El Reg on this point.

The site sets the requirement on location (near ATM, near merchant, on/off campus, etc.) via an API. The user can establish proximal location (like to wearable, other device, or the site/app itself to prevent MitM). These do not conflict or collide, and do not cause friction or failure when the user legitimately moves around, except when they go outside the site/app specified session tolerance (like trying to repeat a transaction not near the cash point, etc).

User behaviour in the context of LiveEnsure refers to the way people “swipe their device” or make a gesture with it in order to log in. More precisely, it refers to any “discrete touch, motion, gesture, orientation or a combination” of these factors, an approach to authentication it argues is more elegant than biometrics.

Behaviour is discrete - unlike biometrics. It does not "recognise" you in a historical, tracking, way such as keystroke logging or walk/gait. It is a wilful behaviour that "salts" the authentication context, like putting your own spin or has on the security. Any touch, motion, gesture, orientation or combination is in play, but it is very discrete and quantised (easy to repeat). User can set/reset anytime from within a valid session. It also can apply to all their devices uniformly, as well as across all logins, IDs or contexts, thus reducing user friction.

Once combined, each of the three metrics create a powerful verification system.

All factors, including location, are treated equally as mathematical influences (contributions) to the holistic "context" signature, regardless of their makeup or original data format (like coordinates, device ID, accelerometer data, challenge/response). The context is all factors combined, and mutually dependent in terms of resonating for that session security. No factor is analyzed, trafficked or stored individually, and no comparison or validation is done except at the holistic level. This prevents factor isolation and prediction, replay, automation or use out of context.

Interactive authentication

Mobile users are authenticated at both initial account registration and subsequent validation using the "crowd". The approach is designed to do away with secret questions, out-of-band and pre-banked challenges.

The crowd is algorithmically selected from the user's existing "fabric" of associations, and dynamically contacted from the user's own contact info (social, email, SMS, address book, connections, etc) and queried randomly and in rotation until the threshold of validation is met. The best people to "bail you out" of an authentication crunch are those who already know you. Obviously this feature would not be available to anyone with no such connections. It is an option - a smarter "out of band", as it were.

“The simplest, most direct method to verify a person’s identity is people who know the person, not passwords, tokens or biometrics,” according to LiveEnsure.

The start-up is targeting a wide arrange of authentication markets, from e-commerce to payments to governments. LiveEnsure’s technology works with Android, iOS and Windows Mobile smartphones.

LiveEnsure is partnering with wearables outfit Pebble, mobile payments service Drop Payments and Intrinsic ID for a mobile payments system. The initiative, dubbed Freehand, is designed to improve the usability experience of wearables and mobile apps in e-commerce. LiveEnsure and Drop have teamed up to work on technologies for mobile transactions on smart devices and wearables.

The firm launched officially on Tuesday. ®

More about

TIP US OFF

Send us news


Other stories you might like